Re: problem with 802.1x authenticating

From: Niklas (niklas_at_NOSPAMhotmail.com)
Date: 06/02/04

  • Next message: mm: "radius authenticaion then ad" 
    Date: Wed, 2 Jun 2004 16:24:45 +0200

    well it was easier said then done to find any useful information in these
    logs :)
    I got a few log files but none seems to be obviously wrong.
    the only thing I could see that had anything to do with an error was in the
    RASTLS.LOG
    [3728] 16:02:38:335: EapTlsSMakeMessage
    [3728] 16:02:38:335: MakeReplyMessage
    [3728] 16:02:38:335: SecurityContextFunction
    [3728] 16:02:38:335: AcceptSecurityContext returned 0x0
    [3728] 16:02:38:335: AuthenticateUser
    [3728] 16:02:38:335: QueryContextAttributes failed and returned 0x8009030e
    [3728] 16:02:38:335: Got no credentials from the client and executing PEAP.
    This is a success for eaptls.
    [3728] 16:02:38:335: CreateMPPEKeyAttributes
    [3728] 16:02:38:335: State change to SentFinished
    [3728] 16:02:38:335: Negotiation successful

    What does it mean "This is a success for eaptls"? I using ms-chap v2 not
    eap-tls

    thanks
    /Niklas

    "Jan-Erik" <Jan-Erik.177igq@mail.webservertalk.com> wrote in message
    news:Jan-Erik.177igq@mail.webservertalk.com...
    >
    > Hi Niklas,
    > Have you enabled tracing at the IAS?
    > Command: netsh ras set tracing * enabled
    >
    > Then you can see much more of what happens in the "background".
    > You can also look in the Wireless Monitor snap-in for the MMC at the XP
    > computer.
    >
    > It has helped me :-) /Jan-Erik
    >
    > Niklas wrote:
    > > *Hi,
    > > XP client running wzc (WPA with radius)
    > > AP setup to use radius
    > > Windows 2000 server using IAS for authentication and accounting.
    > > using MS-CHAP v2 to authenticate against AD
    > >
    > > I have set up everything as it should (but missing something since it
    > > isn't
    > > working) as stated in "Enterprise deployment of windows-based IEEE
    > > 802.11
    > > Networks"
    > >
    > > I also looked at the post by Lars M. Hansen about the D-Link 624 and
    > > WPA/RADIUS support?
    > > and everything seems as it should work.
    > >
    > > I have set up the CA and have through auto enrollment received the
    > > computer
    > > certificate on the client.
    > > Have set up the IAS with a radius-client pointing to my access
    > > point.
    > > Have created a remote access policy "NAS-port-type" IEEE 802.11 OR
    > > Wireless - other"
    > > and also have a group added with my user in it, the user has access
    > > granted
    > > on the dial-up tab
    > >
    > > If I start the wzc on the client, eathereal starts monitoring EAP
    > > messages.
    > > I don't get any error or warning in the event viewer on the server.
    > > but the EAP doesn't succeed and thus doesn't start sending EAPOL
    > > messages
    > >
    > > if I remove myself from the wireless group that is added in the
    > > remove
    > > access policy I get a warning, in the event viewer
    > >
    > > Event Type: Warning
    > > Event Source: IAS
    > > Event Category: None
    > > Event ID: 2
    > > Date: 2004-05-26
    > > Time: 13:38:09
    > > User: N/A
    > > Computer: Server
    > > Description:
    > > User myDomain\myUser was denied access.
    > > Fully-Qualified-User-Name = myDomain\myUser
    > > NAS-IP-Address = 192.168.0.27
    > > NAS-Identifier = 0030bd9da2db
    > > Called-Station-Identifier = 0030bd9da2db
    > > Calling-Station-Identifier = 0006254a52c4
    > > Client-Friendly-Name = Belkin AP
    > > Client-IP-Address = 192.168.0.27
    > > NAS-Port-Type = 19
    > > NAS-Port = 220
    > > Policy-Name = <undetermined>
    > > Authentication-Type = EAP
    > > EAP-Type = <undetermined>
    > > Reason-Code = 48
    > > Reason = The user's information did not match a Remote Access
    > > Policy.
    > >
    > > but as soon as I add myself to the group again I don't get this
    > > warning.
    > >
    > > I don't know where the authentication fails, anyone that has an idea
    > > about
    > > what I should try/check?
    > >
    > > thanks
    > > /Niklas *
    >
    >
    >
    > --
    > Jan-Erik
    > ------------------------------------------------------------------------
    > Posted via http://www.webservertalk.com
    > ------------------------------------------------------------------------
    > View this thread: http://www.webservertalk.com/message247391.html
    >

  • Next message: mm: "radius authenticaion then ad"

    Relevant Pages

    • Re: problem with 802.1x authenticating
      ... > Hi Niklas, ... >> I don't get any error or warning in the event viewer on the server. ... >> access policy I get a warning, ...
      (microsoft.public.internet.radius)
    • Re: problem with 802.1x authenticating
      ... you will find the tracing logs in the %systemroot%\Tracing folder. ... >> I don't get any error or warning in the event viewer on the server. ... >> access policy I get a warning, ...
      (microsoft.public.internet.radius)
    • Re: Scheduled backup problem on win 2003 server
      ... Since the event viewer prompted the message "unable to start the shadow ... the backup was successful (night time - server logoff ... > Now schedule this batch file, then have a look at the two log files. ...
      (microsoft.public.windows.server.general)
    • Re: Problems with SID, postfix 2.1.1, amavis after update
      ... read the damn log files. ... looks like The New Helpful Warning ("see a previous ... 3 previous "warning/fatal/panic" log entries ... Looks like it's master who should log this "see ...
      (Debian-User)
    • Re: Problems while starting rc.d local files
      ... > that I cannot find in the log files dmesg.boot, dmesg, messages. ... > The warning I eye is as follows: ...
      (freebsd-questions)